I’m working for the perfect solution for my allow / deny rules. For my project, users who are logged in are able to create a post to the database where everyone can see it. When other users can see it, it should only be the owner of the document that can insert, update and delete that post. How do i check for that? I use Quickform to insert.
But this code returns me an error whenever i want to create a new post. So i’m not allowed to either insert, update or delete any posts, not even my own. Can anyone help me with that?
Sorry for not helping you with your particular implementation problem, I’m just dropping this best practice here, so maybe you’ll just change your app architecture.
“Perfect” is unfortunately a word that doesn’t truly work without a context. For one, a perfect solution is the one which gives the client the ultimate user experience. For another, a perfect solution will be the most secure one. And then, there’s always the third way of “perfect” meaning the optimal compromise between both.
I highly recommend you doing all your inserts, updates and removes via Meteor.methods, on the server instead of the client, with a client stub to keep the user experience nice with optimistic UI.
That’s recommended also in the official guide http://guide.meteor.com in the security chapter. One of the subchapters is even called “Avoid allow/deny”.
Edit: But I see that @josmardias wrote it already in the meanwhile.
I now get the point of not using allow / deny rules for client-side users because it’s all or nothing and i should instead use a Method. But maybe it’s just me, but i can’t seem to find an example of a Method, where they actually use, let’s say insert.
Let’s say i want users to create a post, where they insert their location and description on the post. When they click “Submit” to insert the new post to the database, would this do the trick then? @josmardias@brajt